Wednesday, November 05, 2008

These are some quick notes from a session on AppLocker by Paul A. Cooke, Tech-Ed EMEA 2008:

As you may have seen, I’ve written a few articles on Software Restriction Policy (SRP) under Windows XP and Windows Vista for www.windowsecurity.com (see below). I’m very happy to tell you, that Microsoft now improved this functionality and renamed it into: AppLocker!

Unfortunately I cannot bring you any screenshots (because of NDA), but I can tell you a few things about the basic functionality. With AppLocker you can more easily eliminate unwanted and unknown applications in your Windows (7) environment. You can enforce application standardization – both from a security (malware), and from a management point of view (licensing & user control).

What most organizations try to do these days, it to limit users to be standard users (non-administrators) on their local machines – however this is actually not enough to feel secure as an IT administrator. Running as standard user is not the solution to all of our problems. Many applications can do bad stuff, even within user context – like stealing data, deleting data, manipulating data, encrypting data, creating bot-nets, send spam, social engineering etc. etc. This is true for applications that install in user context (like Google Chrome), or regular executables that don’t actually install – they just run!

If you want to control applications like that, what can run and what cannot – then you need another approach. AppLocker comes to the rescue!

AppLocker has been build around digital signatures – signing of software executables and DLLs. This was also an option in SRP under Windows XP, were we had path, filename, HASH & certificate rule, but it was pretty hard to manage and enforce back then. With Windows 7, a new GUI has been added to the group policy editor to support easy creation of software rules. We have 3 types of rules: - Allow rules: same as Whitelisting (‘known good’ software) - Deny rules: same as Blacklisting (‘known bad’ software) - Exceptions: exclusion from allow or deny rules

Allow rules are of course the recommended approach – the “default deny all applications” rule (Whitelisting), but with specific applications the network administrators wants to allow users to run. As an administrator, you get granular control of specific applications, enforcing who can run and/or install them (if they have the appropriate rights and permissions).

The administration is done by group policy under Computer Configuration > Application Control Policies, but strangely enough you have to put in affected users and groups (still unclear whether or not the SYSTEM account is still excluded from SRP checks). So this is actually Computer policies that are able to hit users, like loopback or group policy preferences.

You can create multiple rule sets and take advantage of specific attributes, like app version (equal/above/below X.0.0.0), filename (executable name), product publisher (the valid root certificate used to sign), product suite (like “Microsoft Office 2007”) – and wildcards seems to be supported still.

You can control executables, installers (MSI), scripts, and DLLs, using certificates (publisher), HASH or path rules. The disadvantage of using HASH rules is, that the HASH will change if the application is updated, certificate/publisher rules are much more flexible because the signature is still going to be there (unless the developers totally mess up). So always try to go for publisher rules, certificates are here to stay :)

Can be run in 3 modes: Enforce policy, Enforce Policy using Group Policy Inheritance and Audit Only mode! The latter is pretty cool, as you can configure a Software Restriction Policy, and test it out before you go “live”.

AppLocker supports import and export of rules, which can be very useful, but one of the best new features is, that there’s no need to create all the rules manually – you have the option to “automatically generate rule”, this feature will analyze a “reference machine” (not sure if this has to be the local machine yet) and files in a given folder on that machine (not sure if this can be a share yet). You can compare this to a “snapshot” feature, take all files in this folder (and subfolders), and make an allow rule from that (certificate based preferably).

The new rule creation tools and wizards seem pretty straight forward – but you really need to think about the SRP design before you go for it, and test intensively, or else you’ll end up in serious trouble ;-)

Monday, October 20, 2008

I made little modifications on this script created by Jakob Heidelberg to search for printers manually created on user profiles. This is very usefull when you wanna ensure that eveybody has only auto created printers, from Citrix or ThinPrint.

This script load ntuser.dat on each profile, check some registry keys, write a log and unload ntuser.dat. Some users can have problems to load their profiles if you use this script on the same time that they try logon.

Sunday, October 12, 2008

Well, I’m a Microsoft kinda guy – but I do have a problem with one “feature” which has been part of the Windows OS for some time…

Normally I change the default behavior under Power Setting, so that Windows does NOT start a STANDBY process when I close the lid of my laptops – but I haven’t done it on all of my machines, and under every user profile I have (and customers have the same issue).

So, what happens is, that you are done for the day, and then you start a SHUTDOWN process like normally, and then you close the laptops lid – a STANDBY process then starts – Doh!

That means, the SHUTDOWN process is put into STANDBY mode, and the next time you boot your laptop, the machine state resumes, just to finalize the SHUTDOWN process… And then you have to boot you machine to get started – hmmm, I definitely don’t like it!

So what should happen? Well, when a SHUTDOWN process had started, a STANDBY process should NOT be able to “take over” – just let me close the laptop lid and continue the already started SHUTDOWN process, thanx :)

OK, I admit that it’s only a problem when I haven’t changed the default Power Settings, but I can’t be the only human being in this world with that particular problem!?!? Why would you EVER want a SHUTDOWN process to be put into STANDBY mode?

BTW – I have seen, that Mac and Ubuntu people have the same issue on some version – don’t know if it has been fixed on those OS – I have the problem on all the different Windows systems I run on laptops.

Tuesday, May 27, 2008

We've seen hacks like this before, no doubt about it - but it's a really nice trick which you gotta love (and hate) - check it out here!

So, basically this hack requires PHYSICAL ACCESS to the harddrive, using BackTrack (or some other boot utility capable of reading/writing NTFS) the file Utilman.Exe in \Windows\System32 is replaced with Cmd.exe - after a reboot, at the logon screen, if Utilman is called (by hitting Win-key + U) you'll get a nice command prompt running under SYSTEM credentials - pretty powerfull... From there the only limit is your imagination!

Yes, Bitlocker protects us from attacks like these - so somebody please call Mr. Bitlocker!

Tuesday, April 22, 2008

So, I'm back home from a great trip to Seattle, Washington, US. The MVP Summit 2008 was a cool experience with lots of info and room for dialog with the product teams at the Microsoft Campus in Redmond.

We had some awesome talks on the future of Group Policy and I would really like to share it with you, but because of Non-Disclosure Agreements 'n' stuff I can't really say anything - yet.

Seattle is a very interesting city with a lot of great restaurants, nice architecture and friendly people. I had 2½ day to spend after the summit and even though I was missing my family Seattle took great care of me :)

Anyway, I hope to go back there next year - better prepared for jetlag (which basically means I'll travel a few days before the event next time) - but, that all depends on how much time I get to share information with you guys/girls out there... No sharing, no MVP award - that's the rule ya' know ;-)

Saturday, April 05, 2008

This post gives you some links to online available White Papers and Guides from the Microsoft download site - I hope you can use some of it to analyze and protect your own network(s)!

New Security White Paper of April 2008:

"The Microsoft US National Security Team is composed of strategic security advisors who work with Microsoft customers, partners, MS internal constituencies and the information security industry to promote the adoption of security processes and technologies. The NST also focuses on driving vertical security solutions for a wide range of industries. To this end, the NST has produced a number of white papers that address the specific security needs of particular industries, such as the professional services and financial services industries."

"The Fundamental Computer Investigation Guide for Windows Solution Accelerator is intended for IT professionals who need to effectively conduct investigations of Microsoft® Windows®–based computers in their organizations. It provides a computer investigation model as well as process and best practice information. The guide also provides a fictitious example of an investigation that involves unauthorized access to confidential information. This investigation uses the provided guidance and demonstrates the use of numerous tools. Information is also included about how to configure a lab to create the example scenario. An appendix provides information about how to prepare for computer investigations, sample worksheets, contact information for reporting different types of computer-related crimes to appropriate law enforcement agencies, and lists of useful tools."

And finally, what about checking out the "The Security Risk Management Guide"?:

"The Security Risk Management Guide explains how to conduct each phase of a security risk management project and create an ongoing process that drives the organization towards the most useful and cost-effective controls to mitigate security risks. It incorporates real-world experiences from Microsoft IT and also includes input from Microsoft customers and partners. This guide references many industry accepted standards for managing security risks. It is an important example of Microsoft's commitment to delivering quality guidance to help customers secure their IT infrastructures."

If you have messed around in Windows Server 2008 Core installation you've probably had some challenges along the way - like: how do I join a computer to the domain using a command prompt, how can I add Features, tweak the firewall etc. Well, a nice and very useful solution to many of the basic configuration tasks is out there - and it's free of course!

Go check out CoreConfigurator (Server Core Configurator) written by Guy Teverovsky - look how easy it is and stop acting like a geek sent back to the early 90s :-)

Tuesday, March 18, 2008

A new and shiny - free! - tool from BeyondTrust makes it possible for admins around the world to figure out exactly what rights different applications in the environment need to run. This kind of info is essential for removing administrative rights from users and running a "principle of least privilege" environment!

We all know, that administrative rights allow users to circumvent security policies, install unauthorized applications and make unauthorized modifications to a standard desktop configuration - let's move away from those risks... Just register, download and test out this free application - this is "low hanging fruit" giving your environment a needed security-vitamin injection!

A desktop component can be installed on multiple computers to transparently examine applications during execution. The reporting console gives a nice overview of applications the environment from a central point.

Saturday, March 01, 2008

I participated in creation of this great guide around security on Windows Server 2008 - really, you gotta see this... Also check out the new and shiny Solution Accelerator called "GPOAccelerator" - it really rocks!

Info from Microsoft: The primary purposes of this guide are to enable you to do the following:

Use the solution guidance to efficiently create and apply tested security baseline configurations using Group Policy.

Understand the reasoning for the security setting recommendations in the baseline configurations that the guide prescribes, and their implications.

Identify and consider common security scenarios, and then use specific security features in Windows Server 2008 to help you manage them in your environment.

Understand role based security for different workloads in Windows Server 2008.

Hardening: The WS2008 Security Guide also includes information on how to harden the following server roles and the role services that they provide:

Active Directory Domain Services (AD DS)

Dynamic Host Configuration Protocol (DHCP) Server

Domain Name System (DNS) Server

Web Server (IIS)

File Services

Print Services

Active Directory Certificate Services (AD CS)

Network Policy and Access Services

Terminal Services

The "complete solution" from Microsoft: The Solution Accelerator for the Windows Server 2008 Security Guide includes the following components:

Executive Overview. A summary for business and technical managers that briefly explains how you can use the guidance and the tool for this Solution Accelerator.

Security Guide. Recommended guidelines and best practices in a series of chapters that offer detailed guidance on how to harden servers running Windows Server 2008 that handle different workloads (see above).

GPOAccelerator. A tool that you can use to automatically create Group Policy objects (GPOs) recommended by the guide, which is available as a separate download. To learn more about the GPOAccelerator and download the tool, click here.

When you have the Group Policy Preference (GPP) Client Side Extensions (CSE) downloaded you'll notice that they are not (yet) in the .MSI format - so using Group Policy Software Installation (GPSI) is not possible. Bummer, right!?
We have .EXE files for Windows XP/2003 and .MSU files for Windows Vista... But that's not the only thing we need to think about. Before "deploying" these things to the clients on the network we need to know the OS version (XP/2003/Vista), the OS architecture (32 or 64 bit), the Service Pack Level, and whether or not the Group Policy Preference Pre-requisites (WmlLite - http://support.microsoft.com/kb/914783/en-us) are installed.
To make all this pretty easy I've created a "demo" script for deploying the GPP CSEs using Startup Script - or a manual launch (in admin context). My good friend Jeremy Moskowitz asked me to do this - so, a couple of hours later the "demo" - or "beta" - script is public (download below)...Note: I haven't been able to test in all scenarios yet, but I *think* they are all covered pretty well by now. Please report back if you find any problems - any feedback is welcome!Download the VBS script right here!
NB! You might need other language version for the XmlLite GPP CSE Pre-requisites, so watch out!Running the script in your production network is on your own risk. The code is delivered "As Is" - totally free of any charge. No strings attached.

To get Group Policy Preferences on your network all you need is a single Windows Server 2008 as a management station in you existing Windows Server 2003 AD (or 2008 AD of course). When RSAT (Remote Server Administration Tools) is out there - very soon! - a Windows Vista SP1 will be enough to get this cool functionality in your domain!

But remember, no GP Preferences (GPP) without the CSEs - so go ahead and download them now ;-)

Friday, February 15, 2008

Today I went for the CEH v5 exam, EC-Council certification# 312-50, I'd been studying for it for a while. It had no less than 150 questions - and pretty tough ones too - but I managed to pass it (85% which is OK considering US law was part of the Qs).

I can really recommend you to go for this exam - it's somethin' else dude! The questions are short and exact (still multiple choice), but just the process of going there is VERY cool and interesting. Personally I downloaded a lot of spooky tools and guides, created an isolated network with virtual machines and tested, tested, tested. It was fun I can tell you - I can't seem to stop studying this stuff!

If you're a totally cool (and white) hacker dude already, you could probably go for the latter only (it will give you the overall idea of what this exam is all about, the CEH terminology etc). BUT the first one mentioned, by Michael Gregg, is a VERY good introduction (broad and deep) into the world of haxin' actually.

The whole idea with this exam is, that to be a professional penetration tester or security consultant, you need the skills and tools of the hackers. Put yourself in their place and start looking for your (or your customers) weakest link! A security system is only as strong as its weakest link - that also means, that security is a process (maintenance).

Wednesday, February 13, 2008

Welcome to "The Quest for the Holy Desktop WMI Filter”, this is a global search for what you could call "The Perfect Desktop WMI Filter". A WMI filter which, by using WMI Query Language (WQL), should be able to spot DESKTOP computers only. It should be a general query - meaning it should be possible to use the filter in most Active Directory environments around the globe for Group Policy filtering.

So, what is a desktop really? Well, actually in this case we'll say it's the opposite of a laptop. Hmm, then what is a laptop? Easy enough: a computer with a battery! We've got the WMI filter for finding laptops already:

Select * from Win32_Battery - don't you just love the simplicity in this query?

This filter will make a computer with a battery respond back with "TRUE" (because the WMI class instance is present), meaning a GPO with this filter will apply to computers with batteries. Simple right? And you might think it's easy to just "turn it around" to find desktops, like:

Select * From Win32_Battery Where Availability != 2 or Select * From Win32_Battery Where Availability IS NOT NULL or “Where Not X Like Y” or whatever

Maybe it is, maybe it's not... I think it's pretty damn hard! For spotting laptops we could have tested the classes Win32_PortableBattery, Win32_PCMCIAController, Win32_POTSModem as well - but somehow I think most people will agree, that the "essential ting", which makes a laptop a laptop, is in fact the battery presence!

But, our tests for spotting DESKTOPS only (machines without a battery - yes, I know this will include servers as they a "stationary" too) have not been a success yet! We probably just need the correct syntax? And this is where you get into the picture!

Are you able to crack open this nut? There's a cool price!

This all started on a mailing list for Group Policy guys and girls - called GPTalk - created and maintained by Group Policy guru and MVP Darren Mar-Elia - the guy behind GPOguy.com and SDM Software. You can join the list RIGHT HERE and participate in this contest to WIN a free copy of the:

BUT you have to be the first person to crack this thing, there'll be only ONE WINNER - that could be you!

I'll be evaluating incoming answers - FIFO: "First In First Out" method is used. Hopefully we'll see the most simple solution first - simplicity works, right? Actually I wouldn't know in this case would I...

One important thing! We will ask you kindly to TEST any WMI query submissions before sending them to everybody on the list. During your testing, you should use a tool to verify the WMI filter against a minimum of 2 desktops and 2 laptops. You can use the free WMI Filter Validation Tool to test you WMI filters in your environment. Personally I’m also using Scriptomatic version 2 and WBEMTEST for finding the available classes, items, queries etc.

Please have a look at the "rules" further down!

Why do this? Well, because it's fun - and useful at the same time... When looking at it generally, the purpose of this filter is to say: "I want these user settings to apply, but only when the user logs on to stationary machines". This can be used for a lot of security related setting, eg. in the case where Automatically cached Offline Files/Folders are unwanted on stationary machines for certain users etc. The job of most WMI filters placed on User policies is to limit which machines the policy setting(s) should apply to (even though WMI filters could check for user specific things too). Besides from that it's a nice challenge, we can pretty easily "spot" laptops, as they have batteries – and desktops don’t, but that’s not good enough for Mr. WQL, is it?!

Stuff we have tried - and the rules

We’ve been around solutions looking for Win32_SystemEnclosure > ChassisType before - which basically doesn’t work in a WMI filter because that’s an Array (and yes, I've also seen lots of posts on forums out there claiming that particular class is the solution – but for WMI/WQL queries it’s not). If would work in a script (because you can add additional logic to scripts), but we are searching for a WMI Filter - not workarounds of any kind!

As mentioned we tried with the Win32_Battery WMI class. However, as desktops don’t know this class at all, they'll return FALSE no matter what. Basically a desktop computer is gonna say “Heck, I don’t know anything about that class *Panic* I’m out!” – or just “False”... Bummer!

We have also tried PowerSupplyState, Win32_DesktopMonitor, Win32_DisplayConfiguration, Win32_SystemSlot, Win32_Fan and other classes – just haven’t found the perfect “this is definitely a desktop WMI item value or class”…

C) Some way of saying “if you don’t know the class (eg. Win32_Battery), then apply the GPO anyway”

Again, the “quest” is to find the perfect, *universal*, way of spotting “Non-laptops” or Desktops – it can of course be done by looking for some special computer Manufacturer/Model, BIOS version, specific hardware driver or whatever – but that stuff it most likely gonna be different from environment to environment. Also, if we all just used computer names like “DESKxxx” for desktops and “LAPTxxx” for laptops, we could have used WMI filters for computer name – but unfortunately that’s not the case - or at least I won't consider that a valid solution :)

The thing is, that normally it’s the LAPTOPS that have special hardware – like Batteries and built-in Modems, PCMCIA slots etc. – so they are pretty easy to find. With desktop computers it’s another story – hope you can help us out here!

Please, again, we know lot’s of “workarounds”, but what we need is a *WMI filter* and it has to return *TRUE* for *DESKTOPS* (or let’s call the NON-LAPTOPS or NON-PORTABLES, it doesn’t really matter).

Remember, simplicity works - maybe the answer/solution is pretty straight forward? Feel free to post any additional questions to the mailing list!

Another example of what has been tried

We could maybe try to go for presence of PCI (and not Mini-PCI) or AGP slots, as we expect most desktops to have PCI slots (and laptops to have Mini-PCI, but that would depend on the form factor) – or maybe AGP (but does onboard VGA count as AGP? Any PCI VGA cards left out there? Yeah, probably...). If not we could maybe go for something like this:

SUMMARY

This article describes how to extend, or re-arm, the Windows Server 2008 evaluation period. The evaluation period is also known as the "activation grace" period. These instructions apply to any edition of Windows Server 2008. This includes evaluation copies.

INTRODUCTION

Evaluating Windows Server 2008 software does not require product activation. Any edition of Windows Server 2008 may be installed without activation, and it may be evaluated for 60 days. Additionally, the 60-day evaluation period may be reset (re-armed) three times. This action extends the original 60-day evaluation period by up to 180 days for a total possible evaluation time of 240 days. Note Although you can reset the 60-day evaluation period, you cannot extend it beyond 60 days at any time. When you reset the current 60-day evaluation period, you lose whatever time is left on the previous 60-day evaluation period. Therefore, to maximize the total evaluation time, wait until close to the end of the current 60-day evaluation period before you reset the evaluation period.

MORE INFORMATION

How to install Windows Server 2008 without activating it

1. Run the Windows Server 2008 Setup program. 2. When you are prompted to enter a product key for activation, do not enter a key. Click No when Setup asks you to confirm your selection. 3. You may be prompted to select the edition of Windows Server 2008 that you want to evaluate. Select the edition that you want to install. Note After Windows Server 2008 is installed, the edition cannot be changed without reinstalling it.

4. When you are prompted, read the evaluation terms in the Microsoft Software License Terms, and then accept the terms. 5. When the Windows Server 2008 Setup program is finished, your initial 60-day evaluation period starts. To check the time that is left on your current evaluation period, run the Slmgr.vbs script that is in the System32 folder. Use the -dli switch to run this script. The slmgr.vbs -dli command displays the number of days that are left in the current 60-day evaluation period.

How to manually extend the evaluation period

When the initial 60-day evaluation period nears its end, you can run the Slmgr.vbs script to reset the evaluation period. To do this, follow these steps:

1. Click Start, and then click Command Prompt. 2. Type slmgr.vbs -dli, and then press ENTER to check the current status of your evaluation period. 3. To reset the evaluation period, type slmgr.vbs –rearm, and then press ENTER. 4. Restart the computer.

This resets the evaluation period to 60 days.

How to automate the extension of the evaluation period

You may want to set up a process that automatically resets the evaluation period every 60 days. One way to automate this process is by using the Task Scheduler. You can configure the Task Scheduler to run the Slmgr.vbs script and to restart the server at a particular time. To do this, follow these steps:

1. Click Start, point to Administrative Tools, and then click Task Scheduler. 2. Copy the following sample task to the server, and then save it as an .xml file. For example, you can save the file as Extend.xml.

Friday, February 08, 2008

This is just to prove my point - a single AV engine is not enough if you want to be secure.

I had this problem today at a customer - a user had received a link in her Messenger... And she clicked it and probably accepted to execute the thing => Pooof (all her MSN Messenger contacts were spammed with links to the worm)!

We tried to use some different online scanners - as the local AV engines (no names mentioned) didn't find anything - even after updating the signatures. The online scanners I tried first didn't show anything. So, this particular online scanner turned out to be VERY cool and effective:

In this live webinar, Linux, UNIX and Mac admins will get a concise overview of how Group Policy works from Jeremy Moskowitz, author of authoritative works on both Windows Group Policy and Windows/Linux integration. Centrify's David McNeely will then explain the workings of the Group Policy engine that is seamlessly built into DirectControl and the unique benefits of using it for non-Windows policy enforcement. He'll also demonstrate using Windows Group Policy to lock down user and security settings on a Mac desktop system.

Register now (*CLICK HERE*) and we'll send you a free copy of our complementary white paper on extending Windows Group Policy to Linux, UNIX and Mac.

If you have looked into "The onion ring", or just "Tor", you have probably wondered if it would be wise to block access from these anonymous servers (or maybe just the exit nodes). I am not gonna talk about how the encrypted Tor network works, as a great deal of info can be found "out there". Main source should be: www.torproject.org - and perhaps WikiPedia.

As a security guy (or ISA administrator maybe), you ask yourself "why do these people want to be anonymous"? In this case "anonymous" means that "they" don't want targets on the Internet to see the originating IP address (the source). A "target" is typically a web site or some other web service.

The answer? Well, first you gotta ask yourself: "who are they"? And there's really no good answer to that question I guess - who really knows? All we can do is guess, so let me turn these questions around: if I were to try out a hack, or some new exploit, would I do it directly over my personal WAN IP? Or would I try to "hide" my originating IP? If you look at it in that perspective Tor networks are GREAT for hiding out - the whole idea is that it shouldn't be possible to track the communication. What you don't know can hurt you, right? I'm not saying all Tor users are hackers or anything, because they are not, but you have to look at the odds... What do you think? I cant help thinking, that if you hide from someone you have something (bad) to hide - but hey, it could be a Christmas present, right?

Anyway - you have to decide - do I want these people to be able to access my web sites and services or not? I'm not going to decide on your behalf - that's politics!

So, what can we do about it if we want them out? Well, after reading Thomas Shinders Blog entry "HammerOfGod Computer Sets — Block and Log by Country" I got an idea. How about downloading a list of Tor servers, import it into a Computer Set (CS) and make sure that CS is an Exception on all of you Published services? This way hackers out there, behind Tor servers, won't be able to poke around your IIS servers or whatever you have.

So, I started a search for Tor lists - the best thing would probably be to create it yourself dynamically - but that would take programming skills that I unfortunately haven't got. I'm just a scripting kinda guy... The thing is, you would need to have a Tor client installed and from that extract the list once in a while - not possible for me (maybe you can do it easily - please post a "how to" then).

But, then I found a list on Proxy.org - this list it updated regularly - the only thing is, that this list is formatted for easy import on Apache servers, definitely not ISA. But hey, we can change the formatting in a script and then call the "AddComputersToComputerSet.vbs" script from Microsoft... Simple, all we have to do then, is to configure the CS exceptions on our ISA rules, schedule the script and never touch it again!

So, I created a simple script for:

a) Downloading the latest Tor server list from Proxy.org b) After the download it creates a new file with the correct format (machine_name<tab>IP_address) c) And then it calls the AddComputersToComputerSet.vbs with the correct parameters

You can download the script here - also download the script from MS (link above) and place them in the same directory. You will need a bit of VBS knowledge to "tweak" the script(s), but I've tried to make the code "easy understandable". Now, make sure you can run it from your ISA box (it downloads over HTTP), and then schedule the thing (oh, and remember to remove the Msgbox "Done!" line if you want this as a scheduled task).

If you want it to run from another machine, take a look at the link to the AddComputersToComputerSet I provided above (some changes are needed).

Please report back if you have any bug reports or ideas! It provided "As Is" - after downloading you're on your own :)

The dynamically created/updated ISA Computer Set:

The ISA Rule/Publishing Exceptions:

What's missing?I can think of a lot of things I'd like to add in there - but the idea with this blog entry is to "spread the word" and a Proof of Concept.

Personally I want to add logging of script actions, email alerts if the list is unavailable or some other errors occur. Also, there's a weakness in case the downloadable list is compromised somehow. Say someone adds Internal/Private/"not-Tor" IPs etc. to the list, it just might give some strange results for your users. So, we have to trust the list is OK secure - but it would be a good idea to put in some sort of validation on what IP addresses are put into this particular CS.

Friday, January 25, 2008

Let everybody know the two very simple golden rules when it comes to web-applications that are communicating with SQL servers:

1. Never send user input text strings directly to the (backend) SQL server(s). Make sure to "clean it up" first (eg. no special chars etc.). Only accept thing you KNOW you want.

2. Always use Stored Procedures and call them with arguments instead of letting text strings (SQL injections) take control of your (backend) SQL server(s).

Sticking to those rules will make life a lot easier for admins, consultant and security guys like me. Tell you company developers, thirds party software vendors etc. to stick to the rules (even though they should know them by heart already) - spread the word and life will be a lot easier for all of us good people around the globe :)

I have to blog this right away - it will be part of a larger "GP Processing" article at some point though... But this is IMHO important stuff which needs to get out there quick :)

I've heard the following sentence too many times (in one way or the other): "You can only assign Group Policy Objects to Site, Domain Level or OU's"...

- but that's only partly true! Normally in newsgroups, forums etc. this leaves the readers (eg. someone who asked a GP question or whatever) with the impression that you cannot "hit" members of a certain Security Group only (which leaves you with "Site/Domain/OU Filtering" and/or "WMI Filtering" as the only possible a choices available). But that's simply not fair to the amazing Group Policy processing engine!

Even though "WMI Filtering" is pretty well-known these days (after WS2003 arrived), many people tend to forget the little - but extremely effective and flexible - thing called "Security Filtering" (even though it's somewhat more "Basic" compared to WMI)...

Let's talk about it for a minute or two if you are interested...

You can set this kind of filtering within the Group Policy Management Console (GPMC) on either the Scope tab:

- or the Delegation tab (a bit more Advanced):

As you can see, by DEFAULT all Group Policy Objects (GPO) include "Authenticated Users" with both Allow:"Read" and Allow:"Apply Group Policy" permissions set. Both of these permissions are needed for users and computers to take on (or process) a given GPO:

The thing about the very important "Authenticated Users" group is that it includes ALL User AND Computer accounts/objects within the AD domain (Domain Controllers too, right). So, by default a GPO applies to both computers and users (we are not going to talk about disabling GPO parts etc. now).

That's the "technical" explanation why policies placed on a) the Site applies to ALL users and computers within the Site (users site follows computer site, site follows IP address) b) the Domain Level applies to ALL users and computers within the Domain c) any given OU applies to ALL users and computers within that particular OU (and sub-OUs for that matter) => because the "Authenticated Users" security group is there by default. These default permissions on new GPOs are handled by something called "Security Descriptors", but more on that in some other blog or article.

So, we have Security permission on all of our GPOs (unfortunately not the GPO links, but that's another talk) - leaving us with GREAT power to control to whom he particular GPO should be assigned (or 'applied'). All we need to do is to change the default permissions and <Zaboooka!> we are in complete control.

First step is generally to remove the "Authenticated Users" group from the GPO in question. Click Remove (below Security Filtering section) on the Scope tab and click OK:

Click Add... and select the domain security group you want to "hit" - click OK when done:

And <poof>, this GPO will only apply to members of "The Sales Group" - or whatever group (or user, or computer object...) you selected:

Now all you need to do is to link the GPO to the Domain Level (or Site or OU if that's better in your case) - but the Domain Level should be fine for most environments.

Now, you could turn this around and Exclude certain groups, users or computers - by setting Deny:"Apply Group Policy" instead. In some cases that might be the best choice - but as always with "deny" you have to watch out (manly because deny overwrites allow)!

Also note, that Security groups can include both user and computer accounts - we are maybe used to thinking that groups are for users only (in my experience most admins know the "Domain Users" group - but the "Domain Computers" group is not that well known)... But, with this in mind, you could make a group of computers instead of applying a WMI filter for instance (which is generally slower).

You could use other methods for setting permissions than the GPMC (like scripts) - but the GPMC is a wonderful tool for doing this easily - no sweat!